I'm writing a custom provider, and looking at how to get access to the access_token in the callback respones. It looks buried in serverless-authentication which seems to return a profile, but no access_token. But maybe I'm missing something?

Hey there!

Thanks for the work on this project, it's great. Just one quick noob question!

After successfully authenticating with a 3rd party oauth service and receiving a 224 character authorization_token, how do I go about then using this to make authenticated requests to the third party's API? For example, getting the authenticated user's profile data.

Cheers for all your work and help!

J.

Have followed README line by line. When running the tests I get the following errors:

Setup specs
1) "before all" hook

Authentication
Signin
2) should fail to return token for invalid provider

All the Authentication Providers error as well. Serverless 1.0.2 installed. OSX El Capitan. Docker 1.12.1

This is relatively minor and likely indicative of my lack of understanding, but the authorization and refresh tokens that are returned by the boilerplate, are these the actual tokens (access_token, refresh_token) that the provider has returned or representative of them?

Relatedly, are you overriding the Auth Token expiration time? Say if you customized the code to authorize with Spotify who returns an access_token and a refresh_token and the expiration on the access_token is 3600s, are you arbitrarily setting the new expiration (15s) or does that mean we can also extend it?

Thanks for any guidance in this matter

I was wondering if you can share how you developed this project? Did you do it all in node before moving to severless?

Like the serverless ones on youtube, make it really easier to follow.

Add Custom Authorizer to s-resources-cf.json and use authorization id

serverless/serverless#728

Hello,

This works great on the web. But it would be cool with a boilerplate for a "mobile app".
Where you don't use the redirect flows. Cause that's usually handled by the app and then the app will have a token that it would like to send to serverless-authentication

Any plans on that ? :)

I may be misunderstanding something here, but for security purposes, it seems like we'd want a handler that, on signout, immediately revokes the latest refresh and auth tokens so that if someone had either, they'd no longer work (particularly the refresh token). I see there's a revokeRefreshToken function in the cacheStorage.js example, which could work, but it also appears to create a new refresh token. (Which isn't really a problem as long as its not returned to the client.)

Basically I suppose I'm just curious: If I wanted to create my own signout handler to satisfy the security needs described above, what's the best approach to doing so?

Thanks so much for implementing the boilerplate, very helpful!

I saw that in the dynamo cache the existence of the token is not checked:

    const newRefreshToken = (data) => {
      const userId = data.Items[0].userId;
      const payload = data.Items[0].payload;

https://github.com/laardee/serverless-authentication-boilerplate/blob/master/authentication/lib/storage/dynamo/dynamoCache.js#L149

Added the following check:

  if (data.Count <= 0) return Promise.reject('Invalid token');

Also it looks like you can use expired tokens, the query does not restrict to expired=false:

      const params = {
        TableName: table,
        ProjectionExpression: '#token, #type, #userId',
        KeyConditionExpression: '#token = :token and #type = :type',
        ExpressionAttributeNames: {
          '#token': 'token',
          '#type': 'type',
          '#userId': 'userId'
        },
        ExpressionAttributeValues: {
          ':token': oldToken,
          ':type': 'REFRESH'
        }
      };

https://github.com/laardee/serverless-authentication-boilerplate/blob/master/authentication/lib/storage/dynamo/dynamoCache.js#L129

Changed params to:

      const params = {
        TableName: table,
        ProjectionExpression: '#token, #type, #userId, #expired',
        KeyConditionExpression: '#token = :token and #type = :type',
        FilterExpression: '#expired = :expired',
        ExpressionAttributeNames: {
          '#token': 'token',
          '#type': 'type',
          '#userId': 'userId',
          '#expired': 'expired'
        },
        ExpressionAttributeValues: {
          ':token': oldToken,
          ':type': 'REFRESH',
          ':expired': false
        }
      };

Hey,
I've been working with this boilerplate on and off, but it feels incomplete.
Now that API Gateway allows Authorization via Cognito User Pools, I feel like there should be an example included of a restricted zone that is only accessible via a user pool user.

Serverless.yml supports this type of authorization, but I couldn't get it to work myself (otherwise I would've sent a Pull Request..).

When requesting a new feature or enhancement, please be sure to include the following:

• The reason why you think this new feature will help you and help other users as well

I'm very new to AWS and serverless but know I want to use serverless for the lambda part of my backend. My app, Brian is for older people who will not have accounts so federated access is no good. I saw that I could manage my own auth but that is more than I wish to take on. Then I discovered the Beta/Preview User Pools which are perfect. Or will be once stable. I can add federation later.

• The reason why you think this new feature is relavent to the Serverless Framework (within scope)

I'm not clear on the road map for User Pools or how much churn their may yet be but I think they will be a great feature to extend the existing serverless support. It extends the options for authentication.

• If you're familiar with our codebase, I'd be really helpful to share some design ideas on how to implement it, or better yet, open a PR!

Way beyond me but I guess it needs core support and then adding to the boilerplate

Hello,

I would like to add email and password authentication. What would be required to do this?

I'm getting the following error when running serverless deploy

  Serverless Error ---------------------------------------
 
     Trying to populate non string value into a string for
     variable ${self:provider.environment.SERVICE}. Please
     make sure the value of the property is a string.
 
  Get Support --------------------------------------------
     Docs:          docs.serverless.com
     Bugs:          github.com/serverless/serverless/issues
 
  Your Environment Information -----------------------------
     OS:                 linux
     Node Version:       4.3.2
     Serverless Version: 1.5.0

Not being any sort of expert on oAuth, I can see that I can use this project to authenticate against Google's oAuth service for my various Google accounts.

However, if there's only one Google domain that I want to support login for (e.g. a G Suite domain for a business), but not the others, how would I go about configuring this?

I'd guess I'd use the Custom Google provider, but I couldn't find any mechanism for doing this.

Any pointers here would be much appreciated.

Is it planned to get typings support (with TypeScript) on this library?

Are there plans to support Developer Authenticated Identities?

http://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html

LambdaAuth does this, but it would be nice to have it as a serverless plugin

https://github.com/danilop/LambdAuth

Here are 3 sequence diagrams of how this works, that you can plug into https://www.websequencediagrams.com/ when you are making slides or whatever.

title Authentication
Browser->Sign In: Initial request
Sign In -> Facebook: Redirect
note over Facebook: Approve login
Facebook -> Callback: Redirect
Callback -> FaunaDB: Find or create user
FaunaDB -> Callback: Database secret for user
Callback -> Browser: Set authorization header

title Authorization
Browser -> Content Service: API Request
Content Service -> Authorizer: Authorization to Policy
Authorizer -> Content Service: Policy w/ FaunaDB Secret
Content Service <-> FaunaDB: Load application data
Content Service -> Browser: Render API response

title Refresh
Browser -> Content Service: API Request
Content Service -> Authorizer: Authorization to Policy
Authorizer -> Content Service: Access denied
Content Service -> Browser: Access denied
Browser -> Refresh: XHR Request with refresh token
Refresh -> FaunaDB: Find user for token
FaunaDB -> Refresh: Database secret for user
Refresh -> Browser: Set Authorization Header

Looks like this:

The only ref to us-west-2 I can find is in the test token. Where should I replace with my region?

Is there a way to redirect the user to his/her current position?

E.g. The user is on /cars. After he logs in i want him to be end up on /cars again.
If he is on /watches i want him to be redirected to /watches.

As far as i understand

"redirectClientURI": "http://url-to-frontend-webapp/"

determins the redirect URI. How can i make something like "redirectClientURI": "origin" work?

I need to enable authentication by email/password for my API. This is not basic http auth, as I need to verify the data from a MySQL database.

Would it make sense to create a new "provider" package serverless-authentication-database, that will generate some sort of authorization_token which will return the user id ?

There's a lot of security issues to worry about here, hence I'd love to get your input before I get started.

Hello, I'm having a problem where, even though my authorization_uri is set to an https address, when it ends up making the request, it formats the url like so: http://foo.bar.com:443/v1/token/jwt

Our endpoint ends up returning a moved permanently 301 because it does not start with https. Here's the set up I have in my custom provider (some values changed for privacy):

const callbackHandler = (event, config, callback) => {
  const myProvider = new Provider(config);
  const profileMap = response =>
    new Profile({
      id: response.id,
      provider: 'foo-sso',
      at: response.access_token
    });

  const options = {
    authorization_uri: 'https://foo.bar.com/v1/token/jwt',
    profile_uri: 'https://foo.bar.com/api/me',
    profileMap
  };

  myProvider.callback(
    event,
    options,
    { authorization: { grant_type: 'authorization_code' } },
    callback
  );
};

When I print out the response object from your serverless-authentication -> provider.js line 102
notice that the location of the response is http://foo.bar.com:443/v1/token/jwt/

location: 'http://foo.bar.com:443/v1/token/jwt/',
'content-length': '253',
connection: 'close',
'content-type': 'text/html; charset=iso-8859-1' } },
read: [Function],
body: '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>301 Moved Permanently</title>\n</head><body>\n<h1>Moved Permanently</h1>\n<p>The document has moved <a href="http://foo.bar.com:443/v1/token/jwt/">here</a>.</p>\n</body></html>\n' }

Do you have any idea of what might be happening here? I've dug into the request module and found some places where it established protocol and everything seems fine, I can't quite find where the post function is defined that is called in provider.js on line 101. If you could even help me find the definition of that post function that would help me greatly, so I can figure out when my authorization_uri gets changed to http protocol.

_request2.default.post(authorization_uri, { form: payload }, function (error, response, accessData) {

Hi, I have a Amazon RDS account and i want to use this instead of DynamoDb. Is it possible > If so how can i do it ?

First of all, I know this is a general question of me rather than a real issue. The only reason I post here is I have a hard time finding a clear explanation on this.
I am trying to call the signIn method of this repository from my site by making "get" ajax call. However, I get the following error.

XMLHttpRequest cannot load https://9yh8kzx6b1.execute-api.us-east-
1.amazonaws.com/dev/authentication/signin/facebook. Redirect from 'https://9yh8kzx6b1.execute-
api.us-east-1.amazonaws.com/dev/authentication/signin/facebook' to 
'https://www.facebook.com/dialog/oauth?client_id=954130508021993&redirect_ur…
6cbad6184f6e45c5e50fe412d34593e8a896838dae54a4e3a3bc2270a6da647e991ded3539' has 
been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested 
resource. Origin 'http://mydomain.com' is therefore not allowed access.

Is there something I did wrong? I am not quite sure which part of the sign in process lacks the 'Access-Control-Allow-Origin' header. Is it my site (hosted on S3)? Is it the API gateway?

Hello, I'm using your auth framwork and am very happy with it. I cannot seem to figure out how to get the unauthorized 401 messages to include cors headers. What do you recommend?

If I want to sign in to Flickr Oauth implementation I have to use the base of Custom Google or create new serverless-authentication-microsoft / serverless-authentication-facebook / serverless-authentication-google?

Hello, I'm using your auth framwork and am very happy with it. I cannot seem to figure out how to get the unauthorized 401 messages to include cors headers. What do you recommend?

I am trying to sun sls deploy on the test-token folder but am getting

- Function not found: arn:aws:lambda:us-east-1:180971085012:function:uz4g3f3m8i.

previously I Installed the authentication sls and got

  GET - https://uz4g3f3m8i.execute-api.us-east-1.amazonaws.com/dev/authentication/signin/{provider}
  GET - https://uz4g3f3m8i.execute-api.us-east-1.amazonaws.com/dev/authentication/callback/{provider}
  GET - https://uz4g3f3m8i.execute-api.us-east-1.amazonaws.com/dev/authentication/refresh/{refresh_token}

Any ideas what else I can try?

I've followed the setup instructions for this and the gh-pages example and am running it locally.

However when I press the google sign-in the browser visits the signin URL:

https://uz4g3f3m8i.execute-api.us-east-1.amazonaws.com/dev/authentication/signin/google

but I just get this:

Node 4 LTS end-of-life is near... Hopefully, v8 support for Lambda comes before that.

This looks great for authorizing with different providers through an intermediary service, and setting up the endpoints to do so!

However, for using the auth-result of this with any other functions, and for re-usability, it seems like an ideal solution would be to use a "custom authorizer" to validate the credentials passed up for subsequent calls which would act as the middleware and pass the profile back to the lambda function.

The test app here appears to put the auth code inline which makes for a lot of duplicate boilerplate.

Authorizer Blueprints: https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/blob/master/blueprints/nodejs/index.js

I'm interested in discussing this, and potentially collaborating on a new project, or helping with this one...

It seems to me that Cognito and Auth0 can be very expensive, and open source Custom Authorizers would be an amazing alternative/cheap open source project to these pay solutions.

Example Deployment:

• Add your config for 1) 3rd party key/secret to your main serverless.yml file, 2) storage preference, etc..
• Import the node package within your functions folder.
• Document how to make a create account endpoint (passing up valid 3rd party federated token)
• Document how to use the library's authorizer to auto-auth and pass the profile to your main function on success. (Ex: https://github.com/eahefnawy/serverless-authorizer/blob/master/serverless.yml)

Is this support Firebase for user table?

I've been playing with this project for not so long so bare with me if this is more than a question than a feature request (it might as well be). I've been wondering how to have multiple redirect URIs (the case I have in mind is an OAuth flow on web that will redirect to https://my.domain.com/callback-route but also a mobile redirect (used by a mobile app via URL schemas like myapp://oauth-callback). This doesn't seem to be supported at this point, or am I missing something?

CUSTOM-GOOGLE on http://laardee.github.io/serverless-authentication-gh-pages redirects to

Error: redirect_uri_mismatch

with 400.

Refactor codebase to use promises instead of async library

Project name variable doesn't work when installing boilerplate, check if it is serverless issue

Add serverless-plugin-autoprune plugin as soon as it is updated to work with Serverless v.0.5.

My facebook application has a website and an iOS application configured in its settings, but my serverless application only uses the website redirect client uri via process.env.REDIRECT_CLIENT_URI. I'm wondering how to handle the iOS case as well.
Do you have any suggestion ?

Add CORS plugin as soon as it is updated to work with Serverless v.0.5.

Would be good if you could document exactly how to fill in PROVIDER_GOOGLE_ID & PROVIDER_GOOGLE_SECRET.

The installation documentation is great, but where's the documentation on how to use it?

How can i access the refresh_token returned e.g. by google?

Unfortunately i could't find it in the documentation...

@laardee thanks for the great serverless plugin

I've forked the latest version of the master branch as of today (11/02/2016) and integrated with the serverless-react-boilerplate. Features are:

• Writes user data to user table.
• Authenticates per user so that one user cannot modify another's data.
• Authenticates user before responding with auth token to prevent hacking.

Working demo here: http://sls-react-auth.s3-website-us-east-1.amazonaws.com/ (facebook login only).

See: https://github.com/jcummins54/serverless-react-boilerplate
and https://github.com/jcummins54/serverless-authentication-boilerplate

Would be happy to collaborate to make this a branch here.

I've been having trouble with Authorization (API Gateway) because of the password field. Diving a little deeper I've looked into the COGNITO_IDENTITY_POOL_ID variables that were added.

Since this boilerplate doesn't include User+Pass auth, is there any reason why we don't use Cognito Federated Identity Pools (as they seem to be more fitting for oauth providers)?

I am running node 4.0 via nvm and got this:

And here is the log file: npm-debug.log.tar.gz

Any idea?

As the test token example has it maybe this would make it more consistent?

http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/TTL.html

I'm using a version of this to access the Harvest API and it requires that for a profile request, the Content-Type and Accept headers be set. As written, serverless-authentication/lib/providers.js doesn't provide for the capability to set special headers for a custom provider.

I don't understand why is it necessary? I leave "token-secret-123"
and my project works prefect, so how it works?